Desktop Viewer Applications

Important: You need to trust the certificate which is used to validate the signature; otherwise, the signature validation in the application will be shown as self-signed.

Legend:

  • insecure - Application is vulnerable to the attack
  • secure - Application is not vulnerable to the attack
  • (PoC) - Proof-of-Concept Exploit for the specific viewer application
  • USF - Universal Signature Forgery CVE-2018-16042
  • ISA - Incremental Saving Attack CVE-2018-18688
  • SWA - Signature Wrapping Attack CVE-2018-18689

Windows

Application Version USF ISA SWA
Adobe Acrobat Reader DC 2018.011, 2019.008.20080 insecure (PoC) secure secure
Adobe Reader XI 11.0.10, 11.0.23 insecure (PoC) secure secure
eXpert PDF 12 Ultimate 12.0.20 secure secure insecure (PoC)
Expert PDF Reader 9.0.180 secure secure insecure (PoC)
Foxit Reader 9.1.0, 9.2.0.9297, 9.3.0.10826 secure insecure (PoC) insecure (PoC)
LibreOffice (Draw) 6.0.6.2, 6.1.3.2 secure insecure (conditional) (PoC) secure
Master PDF Editor 5.1.12, 5.1.68 secure insecure (PoC) secure
Nitro Pro 11.0.3.173 secure insecure (conditional) (PoC) insecure (PoC)
Nitro Reader 5.5.9.2 secure insecure (conditional) (PoC) insecure (PoC)
Nuance Power PDF Standard 3.0.0.17, 3.0.0.30 secure insecure (PoC) secure
PDF Architect 6 6.0.37, 6.1.24.1862 secure secure insecure (PoC)
PDF Editor 6 Pro 6.4.2.3521 insecure (conditional) (PoC) insecure (PoC) insecure (PoC)
PDF Experte 9 Ultimate 9.0.270 secure secure insecure (PoC)
PDFelement6 Pro 6.8.0.3523, 6.8.4.3921 insecure (conditional) (PoC) insecure (PoC) insecure (PoC)
PDF Studio Viewer 2018 2018.0.1, 2018.2.0 secure insecure (PoC) insecure (PoC)
PDF Studio Pro 12.0.7 secure insecure (PoC) insecure (PoC)
PDF-XChange Editor 7.0.326, 7.0.237.1 secure secure insecure (PoC)
PDF-XChange Viewer 2.5 secure secure insecure (PoC)
Perfect PDF 10 Premium 10.0.0.1 secure insecure (PoC) insecure (PoC)
Perfect PDF Reader 13.0.3, 13.1.5 secure insecure (PoC) insecure (PoC)
Soda PDF Desktop 10.2.09, 10.2.16.1217 secure secure insecure (PoC)
Soda PDF 9.3.17 secure secure insecure (PoC)

Linux

Application Version USF ISA SWA
Adobe Acrobat Reader DC 2018.011 insecure (PoC) secure secure
Adobe Reader 9 9.5.5 secure secure secure
Foxit Reader 9.1.0 , 9.2.0 secure insecure (PoC) insecure (PoC)
LibreOffice (Draw) 6.0.3.2 , 6.1.3.2 secure insecure (conditional) (PoC) secure
Master PDF Editor 5.1.12, 5.1.68 secure insecure (PoC) secure
PDF Studio Viewer 2018 2018.0.1, 2018.2.0 secure insecure (PoC) insecure (PoC)
PDF Studio Pro 12.0.7 secure insecure (PoC) insecure (PoC)

macOS

Application Version USF ISA SWA
Adobe Acrobat Reader DC 2018.011,2019.008.20080 insecure (PoC) secure secure
Adobe Reader XI 11.0.10, 11.0.23 insecure (PoC) secure secure
Foxit Reader 9.1.0 , 9.2.0 secure insecure (PoC) insecure (PoC)
LibreOffice (Draw) 6.1.0.3, 6.1.3.2 secure insecure (conditional) (PoC) secure
Master PDF Editor 5.1.24, 5.1.68 secure insecure (PoC) secure
PDF Editor 6 Pro 6.6.2.3315, 6.7.6.3399 insecure (conditional) (PoC) insecure (PoC) insecure (PoC)
PDFelement6 Pro 6.7.1.3355, 6.7.6.3399 insecure (conditional) (PoC) insecure (PoC) insecure (PoC)
PDF Studio Viewer 2018 2018.0.1, 2018.2.0 secure insecure (PoC) insecure (PoC)
PDF Studio Pro 12.0.7 secure insecure (PoC) insecure (PoC)

Download PoCs

You can get all Proof-of-Concept exploits in one tar.gz file via the following link.

Online Validation Services

Please note that we do not provide any exploit, due to the reason that the services are already fixed and thus it would not be possible to test the PoCs against any services.

Legend:

  • insecure - Application is vulnerable to the attack
  • secure - Application is not vulnerable to the attack
  • USF - Universal Signature Forgery
  • ISA - Incremental Saving Attack
  • SWA - Signature Wrapping Attack
  • - It was not possible to evaluate this services, because we had no pdf document containing a signature which the service would trust.
Online Validation Service Version USF ISA SWA Fixed
DocuSign v1 REST API with PDFKit.NET 18.3.200.9768 secure insecure insecure not fixed yet
eTR Validation Service v 2.0.3 secure insecure insecure secure
DSS Demonstration WebApp WebApp 5.2 secure insecure secure not fixed yet
DSS Demonstration WebApp WebApp 5.4 secure secure secure secure
Evotrust 12.0.20 secure insecure secure not fixed yet
VEP.si 2017-06-26 secure insecure secure secure
SiVa Sample Application release-2.0.1 - - - -

Responsible Disclosure

As part of our research, we started a responsible disclosure procedure after we identified 21 out of 22 desktop viewer applications vulnerable against at least one of our attacks.

In cooperation with the CERT-Bund, the national CERT section of BSI, we contacted all vendors, provided proof-of-concept exploits, and helped them to fix the issues, and three generic CVEs for each attack class were issued: CVE-2018-16042 (USF), CVE-2018-18688, CVE-2018-18689.

Acknowledgements

We would like to thanks the CERT-Bund team for their great support during the responsible disclosure process. We also want to acknowledge the vendor teams which reacted to our report and fixed the vulnerable implementations.